The UK's data watchdog has defended its approach to regulating government health technologies during the pandemic as "pragmatic."
In its annual report, the Information Commissioner's Office (ICO) said it had supported public health innovation, reflecting the flexibility of data protection law.
The watchdog had come under fire early in the pandemic as campaigners saw a lack of oversight over the introduction of the Test and Trace system. In June last year, the Open Rights Group (ORG) instructed lawyers to lodge a complaint with the ICO over the rollout of the system, arguing it breached the General Data Protection Regulation (GDPR).
ORG said Public Health England, which launched the Test and Trace programme, had failed to carry out a Data Protection Impact Assessment before processing data in high-risk situations.
Ravi Naik, legal director of the data rights agency AWO and solicitor instructed by the Open Rights Group, said at the time: "Rushing out Test and Trace without following basic legal requirements is troubling. We trust that the ICO will act accordingly to enforce the law and bring some transparency to the Test and Trace process."
- Tech biz must tell us about more security breaches, says UK.gov as it ponders lowering report thresholds
- England's controversial extraction of personal medical histories from GP systems is delayed for a second time
- This is the data watchdog! Surrender your Matt Hancock smoochy-kiss pics right now!
- UK govt draws a blank over vaccine certification app – no really, the report is half-empty
But in its annual report, the ICO insisted it had taken a "pragmatic approach" to the rollout. "We have made sure people's data is being used fairly, lawfully and transparently," the regulator said. "The result was that the necessary consideration of people's data protection rights was built into national exposure notification apps, with our feedback prompting changes in areas such as transparency and improved privacy information. We also influenced the data protection by design approach, that ensured data collected and shared was minimised. Our regulatory role continued beyond the launches of these apps and included an audit of the Test and Trace ecosystem in early 2021."
The ICO also reported that it had seen a 20 per cent drop in personal data breach reports, from 11,854 in the 2019/20 financial year, down to 9,532 in the most recent financial year (2020/21).
The coronavirus outbreak was cited as one of the reasons for the fall, although the introduction of mandatory breach reporting in sectors that handle large volumes of personal data has also contributed to the trend, the watchdog said.
The sector that reported the highest instances of data breaches was healthcare with 17 per cent. Education and childcare came second at 14 per cent.
However, the sector receiving the highest number of complaints was financial services, followed by general business, then online technology and telecoms. The most likely reason for a complaint was subject access or difficulty for individuals getting hold of their own data. ®